From Mattress Sales to Infosec Soldier

one my name is Chris Hansen this talk is from mattress salesman to InfoSec soldier if you didn't read anything online about what this is going to be about it's gonna be on ways that people can transition into this industry a lot of us didn't really start nympho sack a lot of us kind of started in one thing and then kind of transitioned into it I'm gonna get into that a little bit and why that works and explains some of the reasons that that honestly is one of the best reasons that we want people to do that the first thing a little bit about me my name is Chris Hanson not that Chris Hanson unfortunately everyone

likes to comment on that of course I'm a Twitter fanatic my my handle is something I know 9 so feel free to follow me if you have questions comments concerns jokes hit me up whenever I'm happy to talk and we can you know help you guys out we can figure things out get you started on your career moving forward with a lot of this stuff and that being said if you do end up following me you'll find out very quickly that I am a avid hockey watcher and you're just gonna have to deal with it so let's move forward so what's this all about why why is this talking for and why is it even relevant to the field of InfoSec

compared to some of these other talks that are highly technical a lot more focused a lot more what what you think the industry would need really it's about you something that is super big in the industry right now is we're lacking a lot of people comparative to other industries the InfoSec community just doesn't have the manpower right now where we're lacking we're struggling and that you can you can tell you can feel it in the industry it is really a rapid growing industry and needs all the help you can get but above all this it's really just what makes you happy you know if you're not into this if you don't want to follow this don't feel

like you have to there's no point really most of the people succeed really well in cybersecurity have passion for it they have a drive for it the ones who just kind of show up nine-to-five I try to get a paycheck and don't really do anything else they don't tend to last as long in the industry unfortunately so if you have the passion if you have the drive if you really want to move forward this is a perfect talk for you but it really applies to anyone who's looking for a change so if you're if you feel like you're stuck you're Sisseton that's been there somewhere for 10 years 15 years maybe even a year and

a half you know you're feeling like you're not progressing you're not doing anything maybe it's a good time for a change maybe it's something new something fresh that you've been feeling it's just a good step forward it's really for anyone who loves a challenge a lot of people who transition into this come from like an engineering background or an engineering mindset and so if you like solving puzzles solving problems reverse engineering things creating new and unique ideas if you really like to innovate this is the perfect field for you there's so much that needs to be done so many innovators are needed this is a perfect place to get started people who love safety and security so

if you love having security and safety in your life this is the perfect place for you but really it applies to everyone because we all need security in order of fields so basically my story goes like this oh I moved to a new city and I was looking for a job made tons of money you know I'm a poor college student just getting fed up of eating ramen every day getting tired of it and realized that I needed something that was exciting for me something that would work in my use case and I could afford all the fun little things that I wanted to do fun little hobbies you know some of the things that the mattress place was

looking for I'm not gonna say their name but you could look them up under mattress companies conspiracies and you might just be able to find them they were recently in the news but they were looking for social skills someone I could talk to people someone I could work with people understand work on needs you know when a customer comes in you need to be able to help them with whatever happens they wanted people with managerial skills you had frequently people who would come to work and just I mean it's a mattress store what do you want to do is sleep all day you know people just don't want to work they don't want to do anything so someone who

could motivate those people and get them up and running and and doing things instead of just sitting around lazily and what I ended up with was a whole lot of time on my hands I work 60 70 hour weeks I was working from 10 o'clock in the morning till 8 o'clock at night I'd get off work I'd go do my own thing and wake up and start all over it was very much like a rough schedule if you've never done it tend to tend to a schedule that's a rough schedule for me so and a whole lot of time on my hands 10 hours of work at you know while I'm at work and like a lot of people you

know when I'm sitting at work when I'm doing things I like to have like an audio book or a podcast something that is always just kind of helping me out like I'm listening to something helping me so I listen to a lot of little podcasts and get some ideas and listen to youtube videos or conference talks and that goes down the path of what to do in this you know when you're transitioning but you know that kind of filters into why I transition this well cash out big time I made a lot of money doing mattress sales I know it sounds dumb because you'd think it's like oh it's a used car salesperson they don't

make a lot of make a lot of money making doing mattress sales the work hours were horrible you worked every holiday ya know weekends off but you make your money so you know kind of counteracts it kind of balances it for a long time I had the sobering realization that I don't want to do this the rest of my life sales is terrible sales is life sucking it's know if it's for you if you love it if you're great at it awesome good for you but it was not for me and so what I came to the conclusion of is I love specs I love information and like the data sets so when you're talking mattresses

with people you know you've got firm medium soft you know you've heard all that stuff but really when it gets down to it the nitty-gritty you get multiple different kinds of foams you get cooling foams you get hard phones you get soft phones you get coil density coil wrapping you get triple braided coils you get all these fun little things and over time it adds up and you've just got this whole useless data set that you can't talk about at the dinner table with friends because they're just sitting there looking at you like you're insane so I really enjoy data I enjoyed specs I enjoyed things like that so I was like well where can I use

this and so I found that I really wanted to change and move forward there's a great quote I love it we generally change ourselves for the one or two reasons inspiration or desperation and I think my change was a little bit of both and I think most of yours will be as well or if you have gone through this it was you know pretty much one of these two you're you're trying to find something you're trying to feel better you're trying to transition into this industry and really what happens is you find inspiration here and I think that's kind of a beautiful thing but what does all this matter why does my story matter at all to

anyone most of you probably were not mattress salespeople and that's fine you know whatever walk of life you come from it doesn't matter we need you here in this industry I've talked to you know past nurses I've talked to people who coded video games I've talked to Pete who are pilots or aviation technicians I've talked to salespeople mattress salespeople of course I've talked to a bunch of different walks of life and what it comes down to is all these different people can bring these skill sets that you normally wouldn't understand you know for me when I was doing sales you know I started understanding like what the company would have to do for inventory management and things like that now on

the security side I know how to defend against some of those things because my brain knows what the end user would use you know medical it's the same thing you if you know what a nurse is going to do on a day to day basis you can adjust your security strategies to help pivot and protect against those things it eventually broadens our scope of what we cover in the industry and it helps us really diversify who can talk to WHO and make sense of all of it so it's definitely a good thing to be able to transition them but um my big takeaways that I want you guys to understand or you know don't settle if you feel like you're

stuck no matter where you are even if you're you know a network architect for some awesome company if you feel like you're stagnant if you feel like things aren't going anywhere if you feel like they're not invested in you find the people that will be there's always a company out there that will treat you right they will take care of you and they will train you you need to be constantly moving forward this is not a stagnant field you know sales is a very stagnant field people will be like oh it was super innovative it's been the same for ever there's there's a couple steps you just follow the cycle and you know it's whatever but technology isn't

it's always changing in the past ten years we've seen so many drastic changes in my lifetime I've seen so many draft drastic changes I mean Palm Pilots those don't exist anymore you know but they kind of do with smartphones so just things like that innovation in different ways but always seek for answers you know if you feel like you're the kind of person that is always striving to know everything if you want to be if you have that inquisitive mindset there's a perfect place for you I just want you all to realize that if you're stuck if you feel like you can't do this the change starts with you and there's plenty of people in the InfoSec

community to help you out I'll get into that in a little bit with resources so this is my biggest area of talk because I dedicated a lot of time and energy and two resources as I said I worked at you know this company working SEC 60 70 hour weeks and I had weeks where not even a single person would come into my store other than myself you know my my co-workers would take the week off and it would be like well I literally sat around for 60 hours cleaning and sanitizing and doing inventory but I didn't see anyone for like 60 70 hours and so for me these resources were one of the biggest things that helped me

conference talks you know just like b-sides you know this is a second year I've talked to besides in both years I'm a huge advocate for it they do some really cool stuff definitely check out their past conference talks cuz they're still good they're still relevant Def Con Def Con has some phenomenal talks and I'll be honest when I first started listening to Def Con talks I had no idea what I was listening to I was just listening to them because I was like you know what eventually I want to be able to understand these concepts these ideologies and I want to be able to apply them somehow all my life you know in the InfoSec community and we're

getting there black hat you know same thing and I'll go or I'll talk a little bit about black hat as well but staying on st. con has some really good stuff they always have definitely check them out open list I got to do a plug for Open West I'm on the board for open West we're not doing it this year unfortunately but next year we're going to be back and better than ever and we're gonna be revamping everything so definitely support your open source community help everyone out make sure you show up to the conferences and you know follow what they've got YouTube YouTube has so much going on all of these conference talks that I kind of

talked about they are all on YouTube so if you're feeling like you know maybe those are a little bit heavy you don't understand what some of those are talking about like I said with Def Con I didn't understand like 99% of what I was listening to but I thought it was cool I was like you know what I'm just gonna listen to YouTube and so I started listening to certain people DC cyber SEC is one that's really good the cyber mentor he's fantastic if you want to learn then testing or penetration testing offensive security you know hacking he's got a lot of stuff DC cyber SEC is more on the defensive side but he does a little bit of both

and site onic is fantastic definitely recommend him as well they all do news as well so if you want quick updates on what's happening in the world of you know hacking and malware and ransomware all that fun stuff it's all there there's podcasts no darknet diary social engineering a bunch of fun ones and networking talk to me like I'm happy to network you guys with people I'm happy to get you guys you know connected to the right people if I know them big things that I would recommend 801 labs not a lot of people go but everyone knows about it so definitely go to the 801 labs you know spend times you know spend that energy

going every Tuesday we do a hardware night or Linux my rotates every week Thursdays we always have something going on Thursday nights or if you can't make it to one you should just try for Thursday nights that definitely has the most killing on it on one Labs is great some of the colleges have some courses that you can take but they've got clubs as well definitely show up to those those will help you out a lot really what it comes down to is there are a lot of people in this industry a lot of people around and we're willing to help we're willing to show you what we know and we've all been there before

none of us started out as brilliant geniuses in this industry we had to learn somewhere we had to start somewhere so that's some of the big things that I just wanted to convey and qat I know a lot of you guys are gonna ask questions so I kind of want to get to that so feel free for you know answering all of this stuff because that's really you know I want to get around to answering what you guys have and feel free to send me stuff on Twitter and you can send me d-ends I'm happy to answer anything I want to answer all your questions so start start filling these up let's go over some of them I've been in IT for 22

years and have been interested in cyber security it seems more like employers are only interested in hiring candidates with college degrees top level certs like CIS SPG giac and there are a lot of associated big what would you recommend for obtaining low cost credibility while still keeping your day job the great question um this is what I had to go through when I was with mattress for mattress company one of the things I'd recommend study up follow some you know do if you don't have your security plus if you don't have your pen test plus some of the other ones that are coming out security blue team has a cert coming out right now that I think is really

fantastic I would definitely recommend them they have a whole beginner how to from incident response threat hunting Oh since it covers the whole range of things it's more of a purple team concept but definitely recommend that it's about 60 pounds so that's six modules definitely worth it though some of the other ones if you can get into sans if you can convince your employer to do sans definitely these hands there's a lot there learn from that I mean it's one of those things where you can just try and do as many sources available but likely you'll end up doing what I had to do and take a pay cut to get some experience at first and then

over the course of a year or two years you'll work back up to where you're making if not around the same more money so it's worth the risk in in taking that leap of faith and knowing that the the company will eventually take care of you and I definitely would go for that I noticed that in security industry they're all very entry-level positions or senior positions where they want you yeah they do I haven't found any mid-level positions yet if you have a lot of experience IT security emphasis master or security class making a lot of money already it's hard to take a pay cut and move into security how do you overcome this if I want to move into

implicit yeah I mean honestly like I said taking that pay cut unfortunately is one of the things that you might just have to do it's kind of sad but it is it's almost a necessary evil and most security companies have a lot that they need to teach you that are outside of the realm of what you're normally used to and so taking that pay cut of you know however much is worth it in the long run because once you learn those skills they outweigh drastically and you will move up back into again that same money or more money relatively quickly you're right though there are a lot of mid entry or mid-level positions and that's kind of because that's where

most of the people are in the industry we're kind of seeing like we have some really good people who are experienced that have been there forever and then we've got a lot of people who are kind of just in the middle they know a lot of stuff but not everything it's just this weird transition time and that's why it's a good time to get you know started with an entry level but definitely definitely go that route I think you'll be I think you'll be more prepared if you take the the pay cut and just eventually build back up and I know that's not the answer people want to hear but it's the truth I've got to

also malicious life podcast yes hands down fantastic Dornoch Diaries yep fantastic so yeah I you know taking the pay cut kind of stocks but it'll definitely work out for you how can I be contacted just Twitter it on one lab some meetings I'm on a lot of things uh and then they don't one slack I'm an IRC I'm in you know discord you know I'm Twitter is really the best way to get a hold of me I'm happy to you know put my number out there for people who want to contact me if they hit me up on Twitter but if you're not on Twitter anyways you should be there's a huge security a huge security scene on Twitter and not

a lot of people like it but honestly that it's a good place for networking whether you like their opinions or not it's a good place to be around people who are extremely influential who do amazing work and do amazing things you know and some of them don't like certs some of them do some don't like educate you know it's whatever everyone has opinions on everything of course but what it comes down to is you'll at least be able to network a little bit better from both of those so yeah let me I'm going to type the answer there yeah you and that's that's my big one any other questions if not I can cover some other things that I think

would be mildly important but I think the big thing for a lot of people is even if you're in this industry and you're trying to transition like that person said trying to transition into a mid-level position you can find something here that will help you you know if you if you practice a little bit of pen testing maybe that'll help you move into a mid-range position if you practice more blue teaming if you know whatever you're not skilled or burst in definitely focus on it I'm not a huge Linux person as all of my friends know I am getting better in it I've been focusing on it I'm in it every day at work now but it's one of those things

where I definitely struggled and I'm trying to get better at it and I dedicate time to practicing Linux when I'm at home you know some of the sacrifices that you're gonna have to take are just got to do some of this stuff at home unfortunately if you're not willing to do that you might want to you know reevaluate the industry again as well a lot of us do extra curriculars outside of our regular jobs you know we volunteer at conferences I go to blackhat every year I go to Def Con every year you know same con open west b-sides I go to a lot of conferences I volunteer as much as I can I try to get

out there and that definitely would help you good question what programming languages would you recommend to learn Python is fantastic so I've been learning Python at this job and it has been extremely extremely beneficial javascript is good I think Python SQL

a lot of people use curl as well those are kind of the ones that I would recommend for starting I definitely think pythons the the number one right now if you have no experience it's a great starting point it's got a lot of resources out there it's got a lot of people who are using it every day and it's it's really not too bad yeah any other questions

you just grab them out and do it real quick

all right well if you have any other questions hit me up on Twitter at senpai night out or senpai underscore 909 I can connect you on any of my other things oh let's we got two more if you're already working in ite and also see if your employer will let you cross train and take some security related responsibilities and learn it by not access quickly absolutely yeah if you're already in the industry talk to your employer about cross training and explain to them number one if they're not cross training they should be anyways everyone in the industry should have a security mindset you know if help desk isn't learning about security best security practices that's a whole you

know problem that needs to be addressed as well but definitely cross trained see if your employer will work with you on it and explain the benefits to it because yeah that could definitely help you move up so yeah fantastic point thank you for that but yeah if you you have questions hit me up I'm happy to answer anything if you want different ways of contacting me you know I will be posting a lot of this stuff on my facebook and other things yes good question do you know if they don't one Labs is going virtual for future meetings we are we actually had a hangout on Thursday so they're there Twitter go check it out because they

posted a disc or channel where we're all meeting we might even have an after party tonight for after b-sides where we just kind of hang out and talk and you know I can answer questions it's great place for hanging out and it's a good good at little you know environment but yeah we might I think we're going to be doing virtual meetings up until around the 15th is one we're going to reevaluate if we're gonna start meeting again or we're gonna keep doing virtual for a little bit longer so yeah join us there I'll be on there tonight so if you have questions you know if you want to talk in discord instead of messaging me

on Twitter or whatever I'm available I'm happy to answer questions but yeah thanks for coming I appreciate it they are on IRC so feel free to doing that it's a 801 it's DC 801 they are on there 24/7 I'm sure they're on there right now we are available by any means so with that I will pass over the time thank you very much